Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiTester
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiVoice
- FortiWAN
- FortiToken
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Fortigate API works for everything but admin passw...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate API works for everything but admin password change
Example 1 works fine. Example 2 fails with a 403 status code. RestAPI Admin account is a super_admin with access to Global. debug cli on Fortigate shows no communication for 2 but full communication with 1. Scratching my head on this for a few days now. The "password" option seems to break it. These command come off the Fortinet Developer Network 6.2 API page. There is no password complexity requirements on this Fortigate.
Works Ex 1:
curl -k -X PUT "https://FORTIGAGE-FQDN-HERE:443/api/v2/cmdb/system/admin/USERNAME-HERE?access_token=ACCESS-TOKEN-HERE" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "{ \"name\": \"USERNAME-HERE\", \"comments\": \"This is a comment\"}"
Fails Ex 2:
curl -k -X PUT "https://FORTIGAGE-FQDN-HERE:443/api/v2/cmdb/system/admin/USERNAME-HERE?access_token=ACCESS-TOKEN-HERE" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "{ \"name\": \"USERNAME-HERE\", \"password\": \"PASSWORD-HERE\", \"comments\": \"This is a comment\"}"
Solved! Go to Solution.
Labels:
- Labels:
-
6.2
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So. I tested this and what I believe is, the api-user can not change sys-admin passwords with just a PUT or POST.
You can create a new admin but you can not change the password of the system admin. You can only change the other parameters of the system admin
To create a new admin with HTTP-POST json format data
{ "name":"systemadmin111", "comments":"pushed via. API", "password":"hotshotDiDiO", "accprofile" : "super_admin",}
To change a new admin attributes with HTTP-PUT json format data
{ "name":"systemadmin111", "comments":"change me", "accprofile" : "prof_admin", "schedule" : "none", }
curl -X POST -d @./createuser -k "https://x.x.x.x/api/v2/cmdb/system/admin?access_token=1xhG14ytfQ50wn0sNsxcgzpf2pW888" -H Content-Type: application/json curl -X PUT -d @./changeuser -k "https://x.x.x.x/api/v2/cmdb/system/admin/systemadmin111?access_token=1xhG14ytfQ50wn0sNsxcgzpf2pW888" -H Content-Type: application/json curl -k "https://x.x.x.x/api/v2/cmdb/system/admin/systemadmin111?access_token=1xhG14ytfQ50wn0sNsxcgzpf2pW888" -H Content-Type: application/json I would have to see if something else is doable but my testing shows if you use password or passwd and with HTTP-PUT it does not make any changes. A side note , if you do not set a password in your json body , fortios will create the user with password and allow you to login as-is the same holds true if you did it via the cli but if you use the webUI the password is mandatory. I was shock to say the least that you could even craft a system admin with no-password. Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah I ran into this also but never spent time investigating until you post this thread. I still believe FTNT put some type of hook in NOT allowing you permission to change existing admin.
It's the same for sms-phone also. You can see more of it when you make the API call
diag debug reset
diag debug enable
diag debug app httpsd -1
And then call the PUT and you will get the "deny for blah blah blah" and status code 403.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IDNK but with the local users the string is "passwd"
e.g data_body
{ "passwd" : "93939393939939339" } API call to change my local username curl -v -X PUT -k "https://3.3.3.3/api/v2/cmdb/user/local/klenfelix?access_token=1xhG14ytfL50wn0MNsxcgzpf3pG888" -H "Content-Type: application/x-www-form-urlencoded" -d @./passwd { "http_method":"PUT", "revision":"a3e33bd10417d4b69f10a5f4536c75bb", "revision_changed":true, "old_revision":"4aa389c6d19ed8e7ad9a3dfdfd26574f", "mkey":"klenfelix", "status":"success", "http_status":200, "vdom":"root", "path":"user", "name":"local", "serial":"FG100ETK14010505", "version":"v6.4.4", "build":1803} I have you tried json keyword "passwd" ? and have you tried installed a encrypted password with ENC? With the local users if you push the exact same password value the revison_changed does not toggle true but in your case a 403 tells me permissions Please let us know what you find. Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So. I tested this and what I believe is, the api-user can not change sys-admin passwords with just a PUT or POST.
You can create a new admin but you can not change the password of the system admin. You can only change the other parameters of the system admin
To create a new admin with HTTP-POST json format data
{ "name":"systemadmin111", "comments":"pushed via. API", "password":"hotshotDiDiO", "accprofile" : "super_admin",}
To change a new admin attributes with HTTP-PUT json format data
{ "name":"systemadmin111", "comments":"change me", "accprofile" : "prof_admin", "schedule" : "none", }
curl -X POST -d @./createuser -k "https://x.x.x.x/api/v2/cmdb/system/admin?access_token=1xhG14ytfQ50wn0sNsxcgzpf2pW888" -H Content-Type: application/json curl -X PUT -d @./changeuser -k "https://x.x.x.x/api/v2/cmdb/system/admin/systemadmin111?access_token=1xhG14ytfQ50wn0sNsxcgzpf2pW888" -H Content-Type: application/json curl -k "https://x.x.x.x/api/v2/cmdb/system/admin/systemadmin111?access_token=1xhG14ytfQ50wn0sNsxcgzpf2pW888" -H Content-Type: application/json I would have to see if something else is doable but my testing shows if you use password or passwd and with HTTP-PUT it does not make any changes. A side note , if you do not set a password in your json body , fortios will create the user with password and allow you to login as-is the same holds true if you did it via the cli but if you use the webUI the password is mandatory. I was shock to say the least that you could even craft a system admin with no-password. Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ken, I will raise a feature request.
In our production environment we have compliance requirements to rotate local admin passwords on a regular basis hence my need to automate this. We do this for all vender equipment, but Fortinet Fortigate is the only one that prevents automation of admin password rotation.
This all stemmed from the current FortiOS Ansible module fortios_system_admin failing and I couldn't figure out why.
Delete and recreate the account as you found is a workaround until its fixed, hoping deleting the admin account is allowed. It would be funny if you can delete an admin account, but you can't change the password! <smh>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah I ran into this also but never spent time investigating until you post this thread. I still believe FTNT put some type of hook in NOT allowing you permission to change existing admin.
It's the same for sms-phone also. You can see more of it when you make the API call
diag debug reset
diag debug enable
diag debug app httpsd -1
And then call the PUT and you will get the "deny for blah blah blah" and status code 403.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I confirmed you can indeed delete the admin account via curl to the REST API:
curl -k -X DELETE "https://FW-FQDN-GOES-HERE:443/api/v2/cmdb/system/admin/admin?access_token=ACCESS-TOKEN-GOES-HERE" -H "accept: application/json"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone doing this with Ansible, this workaround is valid until Fortinet Dev's fix:
tasks:
- name: Delete existing local user uri: url: https://:443/api/v2/cmdb/..em/admin/?access_token= user: "" password: "" method: DELETE body: force_basic_auth: no validate_certs: no status_code: 200 body_format: json ignore_errors: true # register: output # - debug: var=output
- name: Re-create existing local user with new password uri: url: https://:443/api/v2/cmdb/..em/admin/?access_token= user: "" password: "" method: POST body: "{ \"name\": \"\", \"password\": \"\", \"accprofile\": \"super_admin\", \"comments\": \"Full Admin Access\", \"vdom\": [ { \"name\": \"root\" } ]}" force_basic_auth: no validate_certs: no status_code: 200 body_format: json ignore_errors: true # register: output # - debug: var=output
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm told this has now been fixed in 6.4.7 by the devs.
:)
Thanks Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like using the following api endpoint works:
```/api/v2/monitor/system/change-password```
The caveat is that you need to provide the old and new passwords
Labels
-
FortiGate
9,200 -
FortiClient
1,872 -
5.2
801 -
FortiManager
788 -
5.4
639 -
FortiAnalyzer
593 -
FortiSwitch
504 -
FortiAP
492 -
FortiClient EMS
462 -
6.0
416 -
5.6
362 -
FortiMail
335 -
SSL-VPN
281 -
IPsec
258 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
219 -
FortiNAC
215 -
5.0
196 -
FortiGuard
146 -
SD-WAN
133 -
6.4
128 -
FortiAuthenticator
126 -
FortiGateCloud
103 -
FortiCloud Products
102 -
FortiSIEM
100 -
Firewall policy
97 -
FortiToken
96 -
Wireless Controller
85 -
Customer Service
81 -
FortiProxy
71 -
High Availability
67 -
4.0MR3
64 -
Fortivoice
60 -
FortiEDR
60 -
FortiADC
56 -
vlan
54 -
ZTNA
54 -
Routing
53 -
DNS
51 -
LDAP
47 -
FortiSandbox
46 -
FortiExtender
46 -
BGP
46 -
RADIUS
45 -
SAML
45 -
Authentication
44 -
NAT
43 -
FortiDNS
42 -
SSO
42 -
Certificate
42 -
FortiGate-VM
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
VDOM
34 -
fortilink
33 -
FortiConnect
32 -
Interface
32 -
Application control
32 -
Virtual IP
28 -
FortiWAN
27 -
Logging
27 -
Web profile
27 -
FortiConverter
26 -
FortiGate v5.2
24 -
FortiPAM
24 -
SSL SSH inspection
23 -
FortiPortal
22 -
Fortigate Cloud
21 -
Traffic shaping
20 -
FortiSwitch v6.2
19 -
Automation
19 -
Static route
19 -
FortiMonitor
18 -
SSID
18 -
snmp
17 -
OSPF
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
Admin
14 -
Security profile
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiRecorder
11 -
IPS signature
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
Explicit proxy
10 -
Traffic shaping policy
10 -
FortiAP profile
10 -
Intrusion prevention
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Port policy
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Antivirus profile
8 -
Traffic shaping profile
8 -
Web rating
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
API
7 -
trunk
7 -
Users
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Packet capture
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
Authentication rule and scheme
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
SDN connector
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
File filter
1 -
ICAP profile
1 -
Virtual wire pair
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1923 | |
| 1144 | |
| 769 | |
| 447 | |
| 277 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.